The New York attorney general has fined Refuah Health Center, a federally funded health center serving underserved communities, up to $450,000 in a settlement following an investigation into a 2021 ransomware attack. The agreement requires Refuah to pay at least $350,000, with a potential additional $100,000 fine suspension contingent on strengthening its cybersecurity program. Furthermore, the health center must invest over $1 million between fiscal 2024 and 2028 to enhance its information security program. The settlement exposes HIPAA privacy, security, and breach notification rule violations, including failures in decommissioning inactive user accounts, lack of multifactor authentication, and insufficient logging for user activity review.
The ransomware attack on Refuah Health Center occurred in May 2021 and was attributed to the Lorenz cybercriminal group. The investigation found lapses in security practices, such as the use of a static four-digit code to protect access to a system used for viewing security camera videos. Attackers gained remote access to Refuah’s network using stolen login credentials for an administrative account associated with a former IT vendor. Despite not working with Refuah since 2014, the vendor’s account had not been deleted or disabled, and multifactor authentication was not enabled. The attackers exfiltrated approximately a terabyte of data, affecting thousands of unencrypted files, employee emails, and patient information.
The settlement requires Refuah to appoint a qualified employee responsible for implementing, maintaining, and monitoring the information security program. This individual must report regularly to Refuah’s CEO, senior management, and board of directors. The enforcement action emphasizes the importance of robust cybersecurity measures in healthcare, particularly for entities handling sensitive patient information. The fines and investment in cybersecurity infrastructure aim to address vulnerabilities exposed by the ransomware attack and prevent future breaches, reflecting a broader trend of regulatory scrutiny on healthcare organizations’ data security practices.
